Advertising, Tracking and Privacy

@ Practising Law Institute
8
Advertising, Tracking,
and Privacy
Digital advertising started out as a mirror of real-world adver-

tising: an image placed on a website, just like a billboard.
Such static advertising is now rare, having been replaced
by more sophisticated methods for providing targeted ads—
mobile pop-ups, ads before videos, and others—that are more
likely to appeal to individual users. Modern online advertis-
ing effectively means that no two users have the same digital
experience because ads are often provided dynamically and
ad content can vary based on the underlying digital content,
or on what a user has previously viewed online.
There are currently two basic models of digital advertising:
contextual (or content-based) advertising and behavioral
advertising. Content-based advertising relies only on the web-
site itself, not on user input, to determine what ad is shown.
If you are viewing a travel website that lets users search for
deals on hotels, you may be shown an ad for a rental car due
to the site’s content. The premise is that delivering an ad that
has a connection to the web content would make the adver-
tisement more effective—someone who is looking for hotels
8–1
Privacy Law Answer Book 2021
may also be looking to book rental cars. Because site content

and not information collected from the user triggers the ad,
contextual advertising raises few privacy concerns.
By contrast, online behavioral advertising (OBA) relies on
information about web browsing behavior by individual users
to generate ads and requires companies to collect and ana-
lyze users’ online behavior in ways that implicate privacy.
Other terms like “interest-based advertising” and “behav-
ioral targeting advertising” are also used to describe OBA.
With the advent of more sophisticated tracking technology
and interconnected devices, users may even see the same
targeted ads across each Internet-connected device. Alterna-
tively, users may experience ads that are differentiated based
on which device they are using and their activity on other
connected devices.
While user data is often valuable because it can be used to
generate more effective and lucrative advertising, the under-
lying data itself may also have value. For companies that gen-
erate large data bases of consumers’ personal information,
those data bases can be a source of revenue, and privacy
law obligations. Even companies that only generate or collect
small volumes of consumer data are better served by being
aware of the way their consumers’ information may be col-
lected, stored, or used by other parties.
This chapter provides an overview of the different types of
advertising and tracking mechanisms, and best practices for
complying with applicable privacy laws.
Overview....................................................................................8–3
Online Behavioral Advertising.......................................................8–5
Regulation, Enforcement, and Compliance......................................8–8
Generally........................................................................8–8
Best Practices and Industry Guidelines...............................8–11
California Online Privacy Protection Act............................8–16
Electronic Communications Privacy Act.............................8–17
8–2
Advertising, Tracking, and Privacy Q 8.2
Computer Fraud and Abuse Act.......................................8–19

Children’s Online Privacy Protection Act............................8–20
Video Privacy Protection Act............................................8–20
Tracking and Collection of User Data...........................................8–25
Cookies........................................................................8–25
Data Brokers..................................................................8–26
Collection of Information from Multiple Sources..................8–26
Social Media Advertising............................................................8–28
Social Context Advertising...............................................8–28
Digital Contact Tracing...............................................................8–31
Overview
Q 8.1 What is online tracking, and how does
it work?
Basic online tracking records the browsing history of a user. More
sophisticated tracking technology can record things like time spent
on a page as a means of judging user engagement. Once that infor-
mation is collected, analytic software can search the data to discern
patterns in a user’s activity that can be used to provide targeted
advertisements.
Q 8.2 How is user activity online being captured?

Browser-based tracking commonly occurs through the use of
“cookies”—small text files that are placed on a user’s computer and
that store information about browser activity conducted on that com-
puter. Such cookies contain a unique user identifier (UUID), which
permits the anonymous identification of the same user over time.
HTML 5—the most recent version of the standard markup language
for creating web pages and web applications—contains a standard for
browser-based storage of this information, though the switch from
using cookies to browser-based storage has proceeded slowly.1 There
are also methods for tracking user data through Javascript, and on
mobile devices, tracking may be done through platform-specific sub-
stitutes for cookies.2
8–3
Q 8.3 Privacy Law Answer Book 2021
Q 8.3 Can users still be identified and tracked if

they “block” cookies and browser-based
storage of their data?
Often, yes. One substitute for cookies is a technique called “fin-
gerprinting,” which can be used to identify individual devices or
users and track them across multiple websites even when cookies are
turned off. As the name implies, a “fingerprint” of the device is cre-
ated based on information about the hardware or software of a device
user—e.g., screen resolution, battery level, color depth, list of fonts,
and platform. This technique allows tracking of a user across multiple
browsers on the same device.3
Q 8.4 Can activity on different devices

be connected?
Yes. Beyond browser activity, a variety of other data points may
be collected and used in conjunction with the techniques discussed
above to serve even more tailored advertisements online. For exam-
ple, if a person tracks his or her fitness data using wearable technol-
ogy and downloads an associated application on their mobile device,
the presence of that application (or the act of downloading and install-
ing the application) may be detected using techniques like fingerprint-
ing. That user may be served ads related to his or her fitness activity,
especially when using a browser on that same device. With a greater
variety of devices collecting a greater variety of specific data, the indi-
vidual privacy landscape is rapidly changing and evolving.4 (For the
purposes of this chapter, all of the above tracking techniques will be
referred to as forms of online behavioral advertising (OBA), though
their specific privacy implications may differ.) Companies that collect
user data need to be aware not only of the advertising and tracking
mechanisms which they implement, but the landscape of advertising
and tracking which impacts their users to assess the risks their cus-
tomers face.
8–4
Q 8.5 What are the differences between online

behavioral advertising and content-based
advertising?
The primary difference between OBA and content-based advertis-
ing is that OBA gathers information from users, over time and often
across multiple platforms or devices, while content-based advertising
does not. In so doing, OBA is linked to the web browsing history of a
particular, computer or device and, therefore, raises privacy concerns
about how that information is used and secured. A breach of OBA data
could, for example, expose a user’s private Internet browsing activity
to public view. Content-based advertising, which does not require col-
lection of browsing activity data, does not pose the same risks.
Online Behavioral Advertising

Q 8.6 What is online behavioral advertising?
In general, OBA is any form of advertising that provides a specific
ad to a specific computer’s browser based on past online activity on
that computer. For example, if a computer recently was used to search
online for engagement rings and flowers, then showing the user an
advertisement for wedding dresses based on that search is OBA. The
wedding dress ad is selected because it fits the user’s pattern of online
activity. When an ad for a wedding dress is shown to a user after that
user on one site has viewed that dress on another site,5 that ad is a
type of OBA known as “retargeting.”
Many kinds of online activity can be tracked. These include the
pages browsed on a website, the time spent on the website, the clicks
made, the date of the visit, and the overall interaction with the site.6
The online music-streaming company Pandora, for example, has dis-
closed that it delivers targeted advertising based on users’ music pref-
erences. Those who listen to country music are more likely to hear
ads for politically conservative causes, while those who listen to clas-
sical music are more likely to hear ads for politically liberal causes.7
OBA only works if the website displaying the advertisement knows
about prior browsing activity, which requires storing and analyzing
data about browsing behavior over time and often across platforms.
8–5
Q 8.6.1 Privacy Law Answer Book 2021
Privacy concerns arise when companies start monitoring, storing, and

evaluating the way individuals behave, especially if that data can be
traced back to a “real-world” person with a name and address.
Q 8.6.1 How does tracking work in online behavioral

advertising?
The website seeking to deliver OBA needs two categories of infor-
mation: information that uniquely identifies the user’s browser, and
information about online behavior through that browser. The user’s
browser can be “uniquely identified” by an anonymous UUID; a user
can be identified through a user-selected ID, or an actual name. When
tracking users, web browsing history in the form of URLs is often used,
but this information can be combined with other information, such as
purchase history.
To be clear, a browser and a user are not the same thing, and
the distinction between them can be quite important for analysis of
privacy issues. The browser is the program on the computer—like
Internet Explorer, Chrome, or Firefox—through which the user con-
ducts online activity. The user is the individual human being who goes
online. It is quite common for multiple individuals to use the same
browser on a particular computer or device.
Because OBA works by using the web browsing history informa-
tion, if a computer is shared with multiple users, OBA will deliver
advertisements based on the browsing history that is connected to
that device, rather than based on an individual user. For example,
three members of a family using Internet Explorer on the family PC will
appear as the same “user.” Similarly, colleagues may share a computer
at the office; friends may pass around their mobile devices at a social
gathering to browse on each other’s devices; or community members
may share a computer at the public library. In all of these scenarios,
the browser does not distinguish among the individual users. Rather,
the browsing data gathered from these users’ online sessions, and the
OBA served back to these users as a result, will reflect the users’ col-
lective activity. Conversely, if a user surfs the Internet on Safari part
of the time and Firefox part of the time, the cookies on each browser
would only record her activity on each individual browser. As men-
tioned previously, fingerprinting and other tracking techniques allow
8–6
Advertising, Tracking, and Privacy Q 8.6.3
a user’s activity to be tracked while on the device and uniquely identi-

fied, allowing tracking across multiple browsers.
In an “Internet of Things” or IoT context, multiple devices—each
potentially with its own unique identifier and Internet connection—
may be associated with one user. Each device may store a particu-
lar kind of data—e.g., health data, location data, sleep data—which,
if connected, may create a detailed picture of multiple aspects of one
user’s activity. Amalgamated data may create different privacy risks.
Q 8.6.2 What information must an operator collect for

advertising to be considered online behavioral
advertising?
Once a company starts tracking browsing history as a way to deter-
mine what ads to show, it is engaging in OBA. It is important to note
that OBA can be targeted anonymously. The website does not need to
know the identity of the individual to deliver a behavioral ad to that
person’s browser.
Companies use different methods and collect varying amounts of
information to deliver OBA. Some companies do not seek to identify
the particular users to whom the OBA is targeted; these companies
use websites employing anonymous user IDs to monitor the activities
of the users who have visited that website. In contrast, other com-
panies want very much to identify the actual person using the web
browser, which allows the company to conduct more sophisticated
OBA targeting—but also creates a considerably greater risk that this
tracking might run afoul of privacy protection statutes.
Q 8.6.3 Would an operator be liable after a data breach if

it had anonymized all of its data by, for example,
using Universally Unique Identifiers (UUIDs)?
It is sometimes possible to trace back “anonymous” information
(like a list of search queries) to a real-world person. A company con-
cerned about its users’ privacy should still identify each user by a
randomly generated UUID, rather than user-provided information
such as name, because it provides another layer of protection for the
users’ identities. In most cases, a company can use a UUID to provide
8–7
online behavioral advertising; as long as the information about browsing

habits and history are recorded, sophisticated ad targeting is possible.
Anonymizing data alone may not prevent lawsuits for alleged pri-
vacy violations in the event of a data breach, but it can be a strong
protector against potential liability. In some recent litigation after
data breaches, companies have successfully asserted as a defense to
liability that no consumer could show actual harm as a result of the
breach.8 Anonymized data is less likely to lead to actual consumer
harm because it is impossible, or at least requires more effort, to link
the anonymized data to an individual.
Regulation, Enforcement, and Compliance

Generally
Q 8.7 Which government agencies are active
in enforcing regulations related to online
behavioral advertising?
The most active agency at the federal level is the Federal Trade
Commission (FTC), which has jurisdiction over unfair and deceptive
practices, including with respect to online advertising.9 Many state
attorneys general are also active on data privacy issues, including
OBA.
Q 8.7.1 What statutes govern online behavioral

advertising?
No comprehensive federal statutory framework governs OBA. The
Children’s Online Privacy and Protection Act (COPPA) and accompa-
nying FTC regulations, discussed in chapter 3 and at Q 8.13 below,
apply to websites that collect data from children, and several other
statutes—such as HIPAA, the Stored Communications Act, and the Fair
Credit Reporting Act—have been used to challenge particular com-
panies’ data collection or use practices, both in the ordinary course
of business as well as after data breaches have occurred.10 Another
federal statute that plaintiffs commonly cite in their complaints is the
Computer Fraud and Abuse Act (CFAA) (see Q 8.12).11
8–8
Several states have enacted laws governing data collection and use
in their jurisdictions. But because the Internet is not bound by state
borders, these laws are an effective “floor” for all widely available sites
that collect their users’ data. One key state statute, California Online
Privacy Protection Act (known as “CalOPPA”), is discussed in more
detail below.12 California has also recently enacted the Californian
Consumer Protection Act (CCPA), which provides further protection
to consumers and their online data. (See chapter 9.) Most other state
laws either provide a lower threshold or closely mirror one of the four
federal statutes discussed here. Legislation and regulation regarding
interconnected devices remains in its infancy, but recent activity sug-
gests that Congress and government agencies may issue new stan-
dards in this area.13
Q 8.7.2 How does the FTC enforce its restrictions on online

As discussed in chapter 1, the FTC has authority to regulate
“unfair or deceptive acts and practices” in interstate commerce under
section 5 of the original FTC Act.14 There is considerable agency prec-
edent about what constitutes a “deceptive” act, much of it premised
on the concept that advertising must not be materially deceptive and,
in the online context, that advertising practices and associated data
collection must be consistent with a site’s stated privacy policies.
In the privacy context, it is less clear what is meant by “unfair”
acts, since the term suggests a substantive notion of fairness that is
not defined in the FTC Act or by any FTC regulation. As a general mat-
ter, the FTC has long made clear that to be unfair, a business practice
must satisfy a three-part test: The practice must cause substantial
injury; that injury must not be outweighed by associated benefits to
consumers or to competition; and the injury must be of a sort that
consumers themselves could not reasonably have avoided.15 In recent
years, the FTC has begun enforcing the unfairness prong of its authority
in the context of data security, suggesting that the FTC considers a
certain level of security as to individuals’ data (especially personally
identifiable information) to be necessary in order to meet the expec-
tation of fairness.
8–9
The FTC issued a set of guidelines in March 201216 espousing prin-

ciples called “privacy by design” (see Q 1.13 et seq.), which recom-
mend that companies consider consumer privacy at every stage of
designing a product or service—including when implementing OBA.17
The FTC also recommends that users be given a clear, easy mecha-
nism for opting out of data collection about their online activities, and
that companies disclose how they collect and use user data. These
recommendations are non-binding, but they provide a clear indication
of the FTC’s perspective on online data privacy. In combination with
state statutes, these recommendations present some basic substan-
tive guidelines that companies may wish to follow when looking for
best practices in the areas of OBA and data collection.
* CASE STUDY: Turn Inc.
In 2017, the FTC announced its final settlement with a California-

based company, Turn Inc., with respect to its misrepresentations
regarding its data-tracking policies. The company’s privacy policy
told consumers they could block targeted advertising by using
their web browser’s settings to block or limit cookies.18 The FTC’s
complaint alleged, however, that Turn used unique identifiers to
track tens of millions of Verizon Wireless customers, even after
they blocked or deleted cookies from websites. The opt-out
mechanism also only applied to mobile browsers.19
Pursuant to the consent order, Turn Inc. is barred from any further
misrepresentations about its tracking policies, and must comply
with certain notice polices.20 Turn also must provide an effec-
tive opt-out for consumers who do not want their information
used for targeted advertising and place a prominent hyperlink
on its home page that takes consumers to a disclosure explain-
ing what information the company collects and uses for targeted
advertising.21
8–10
Q 8.7.3 How does the FTC treat pre-installed software?

Pre-installed software is also under scrutiny for this kind of adver-
tising and tracking. For example, Lenovo Group Ltd. (“Lenovo”) agreed
to a class action settlement requiring Lenovo and Superfish to pay
the class $7.3 million and $1 million, respectively.22 Lenovo Inc. had
previously agreed to settle charges by the FTC, and thirty-two state
attorneys general, that Lenovo had harmed consumers by pre-loading
software on some laptops that compromised security protections in
order to deliver ads to consumers.23 “VisualDiscovery” was devel-
oped by Superfish Inc. and acted as a “man-in-the-middle” software
program between consumers’ browsers and the websites they visited.
Without the consumers’ knowledge or consent, VisualDiscovery was
able to access all of a consumer’s sensitive information transferred
over the Internet, including login credentials, Social Security num-
bers, medical information, and financial payment information, allow-
ing VisualDiscovery to deliver pop-up ads from Superfish’s retail part-
ners whenever a user’s cursor hovered over a similar looking product
on a website. Following the settlement with the attorneys general,
Lenovo must get consumers’ affirmative consent before pre-installing
this kind of software and implement a comprehensive software secu-
rity program for the next twenty years (audited by third parties)
addressing the consumer software pre-loaded on its laptops. Further,
Lenovo is prohibited from misrepresenting any features of software
pre-loaded on laptops that will inject advertising into consumers’
Internet browsing sessions or transmit sensitive consumer informa-
tion to third parties.
Best Practices and Industry Guidelines

Q 8.8 What are the best practices for using online
Companies that deploy online behavioral advertising (OBA) should
consider certain best practices endorsed by the digital advertising
industry and derived from federal and state agencies and laws. First
and foremost, websites that collect information from users should
have a privacy policy that is clearly accessible from the homepage.
(For more information on privacy policies, see chapter 2.) The policy
should inform the user about OBA practices and should provide users
8–11
an opportunity to control whether, and how, their personal informa-

tion is used.24 If any personally identifiable information (PII) is col-
lected from users, or if users create usernames with passwords to log
into the website, those users should explicitly and affirmatively con-
firm that they have read and agreed to the privacy policy governing
the data collected by that site (usually via a check box).
In addition, these best practices call for PII to be de-identified (see
Q 5.4.4), not collected, or anonymized to the extent commercially
practicable. If it is not necessary to collect PII for broader business
purposes, companies should consider whether it should be collected
to deliver ad content. For example, a UUID might serve as a means of
tracking a particular user over time for purposes of providing OBA.
Any anonymous data—and particularly any PII—should be maintained
only as long as necessary to serve a legitimate business purpose.
Companies that contract with third parties to obtain or analyze
information about user behavior, or deliver ad content, should care-
fully review their contracts with these third parties and be sure they
are fully aware of what information is being utilized and exchanged,
how that information was obtained, and how it is being secured.
Q 8.9 Are there any industry guidelines for online

behavioral advertising (OBA) best practices?
Multiple independent third-party organizations have published
“best-practices” guidelines regarding OBA, which, while not binding,
provide a framework for strong policies and procedures.25
Two such sets of third-party guidelines for companies using OBA
are particularly well settled in the online advertising industry. One is
agreed upon and implemented by its members, while the other is a set
of best practices recommended by a consortium of industry organiza-
tions, including the Better Business Bureau.
The Network Advertising Initiative (NAI) is an industry group that
focuses exclusively on online and mobile advertising.26 The NAI has
over 100 member companies, all of which are third-party online adver-
tising technology companies, including AOL, Google, and Microsoft.
The NAI has a “Code of Conduct” that its member companies agree
to follow, which includes recommendations on the form of notice and
8–12
choice that members should offer in their delivery of online adver-

tising, as well as restrictions on the manner in which its members
may acquire and use the data they collect.27 Member companies are
monitored for compliance through the year. Companies found not to
be in compliance can work with the NAI to rectify the issues, or face
sanctions, including suspension or revocation of membership, and/or
referral to the FTC.
The Digital Advertising Alliance (DAA) is an independent non-
profit organization that collaborates with businesses in the advertis-
ing industry organizations, as well as public policy groups and public
officials.28 The DAA has released four sets of self-regulatory principles
that apply:
(1) to online behavioral advertising in general;
(2) to OBA that takes place across multiple websites;
(3) to OBA that takes place across multiple devices; and
(4) specifically to the sphere of mobile advertising.29
Q 8.9.1 What should companies do to comply with the

Network Advertising Initiative (NAI) guidelines?
The NAI has released multiple versions of its code of conduct.
The most current version is the 2020 code, which came into effect on
January 1, 2020, makes a number of material changes in requirements
for NAI members, and is the most comprehensive overhaul since the
release of the original. The Code provisions only apply to member
companies that involve third parties in some way in their delivery
of OBA (examples of third parties include OBA servicing companies,
such as DoubleClick, or partnerships with nonaffiliated websites). The
central tenet of the Code is that differing notice and choice obligations
should apply depending on the sensitivity and proposed use of the
data.
The NAI Code of Conduct refers to three types of data: PII, Device-
Identifiable Information (DII, formerly known as non-PII), and ano-
nymized or “de-identified” data. The Code imposes different obliga-
tions on these different types of data. The Code requires NAI members
to allow users to opt out of the use of DII for OBA.
8–13
The NAI Code defines PII as “data that is used, or intended to

be used, to directly identify a particular individual”; DII as “data
that is linked to a browser, device, or group of devices, but is not
used, or intended to be used, to directly identify an individual”; and
De-Identified Information as “data that is not linked to either an indi-
vidual or a device.”
In the 2020 Code, the NAI shifts its terminology of PII from
“Personally-Identifiable” to “Personally-Identified.” This change in
definition moves away from hypothetical uses of the data to address
what a given member company publicly pledges to do with the data.
The new terminology reflects the understanding that, with enough
resources, many types of DII can be linked to an identifiable individ-
ual. The 2020 Code also slightly changes the definition for DII, such
that intent to use DII data to link it to PII no longer precludes it from
being categorized as DII as opposed to PII.
The 2020 Code requires NAI members to provide a PII-based opt-
out mechanism. Additionally, NAI members must also provide a mech-
anism to enable users to access the PII the member has, as well as
an option to delete all PII (and related DII) except for the minimum
necessary to maintain the opt-out status.
Beyond the aforementioned data categories, the 2020 NAI Code
also imposes heightened obligations on Sensitive Data and Precise
Location Data. Under the 2020 Code, Sensor Data and Personal
Directory Data will also be subject to heightened obligations, such as
requiring opt-in consent. NAI members must also disclose cross-de-
vice linking in website privacy policies.
The 2020 Code expands the scope of the NAI’s self-regulation to
data collection and data use on televisions and peripheral devices.
The 2020 Code raises the minimum age on the prohibition on the uses
of OBA from thirteen to sixteen, as consistent with the CCPA. The
2020 Code will require that NAI members disclose the political audi-
ence-targeting segments they use for digital advertising.
The NAI Code of Conduct requires “clear, meaningful, and prom-
inent notice” to users regarding OBA. As part of this notice, the NAI
requires that its members’ websites allow users to opt out of this type
of data collection. In addition, the NAI requires that “reasonable secu-
rity” measures be taken to protect users’ data and that such data be
8–14
retained “only as long as necessary to fulfill a legitimate business need,

or as required by law,” and thereafter deleted or fully anonymized.
Q 8.9.2 How does the Network Advertising Initiative (NAI)

Code relate to the Digital Advertising Alliance
(DAA) Principles and Guidance?
The 2020 NAI Code of Conduct has a section titled “Relationship
to the DAA’s Principles and Guidance.” The DAA principles “govern
the entire digital advertising ecosystem, they are by nature broader
[and] in some cases less restrictive than the NAI Code.” The NAI Code
of Conduct “largely harmonizes with the DAA Principles as they apply
to covered activities by NAI member companies.” NAI-specific obliga-
tions are described on pages 3 and 4 of the 2020 NAI Code.
Q 8.9.3 What should companies do to comply with the

Digital Advertising Alliance (DAA) principles?
The DAA’s guidance to companies consists of seven “principles”
that are designed to have broad application to companies that use
online behavioral advertising.
The first principle calls on member companies to assist in educat-
ing users about OBA and its role in digital advertising. The second
relates to “transparency,” and (similar to the NAI Code of Conduct) rec-
ommends that “clear, meaningful, and prominent” notice be given to
users of a particular site’s data collection and use practices. Recently,
the Online Interest-Based Advertising (IBA) Accountability Program
began enforcing the enhanced notice requirements of the DAA princi-
ples for online IBA in video ads, under which advertisers must deliver
just-in-time notice to consumers when serving interest-based video
ads online and on mobile devices.30
The third principle is “consumer control,” and states that sites
should collect data only after they obtain consent from users, and
that sites should provide users with an “easy” means to withdraw that
consent.
Fourth, the DAA recommends that “physical, electronic and admin-
istrative safeguards” to prevent data breaches be implemented, and
that data used for OBA only be retained as long as legally required or
8–15
for a legitimate business need. Going further than the NAI, the DAA
suggests that all data collected for OBA purposes should be ano-
nymized to render them non-PII.
The DAA’s fifth principle, echoing the third, states that consent
should be obtained from users whenever there is a material change to
a site’s collection or use of OBA.
Sixth, the DAA has separate principles relating to three categories
of “sensitive data”: children’s data, health data, and financial data. The
DAA expressly references the federal COPPA standard regarding chil-
dren’s data (discussed in more detail in chapter 3). The DAA suggests
that specific consent be obtained for the use of health and financial data.
Seventh, and finally, the DAA suggests that members engage in
continual monitoring of their use of user data, including the nature of
their disclosures of such data.
Q 8.9.4 What should a website operator’s privacy policy

say about online behavioral advertising?
There are no controlling statutes or regulations that expressly
state what must be included in a website’s privacy policy about OBA.
If a website plans to collect PII and use that information to support
the delivery of OBA, it is best to obtain users’ affirmative consent to
the privacy policy and disclose how such information is collected and
shared. For further discussion on best practices for what should be
included in a privacy policy, see chapter 2. The policy should inform
the user about OBA practices and should provide users an opportu-
nity to control whether, and how, their personal information is used.31
California Online Privacy Protection Act
Q 8.10 How does California’s “do not track” law

apply to online behavioral advertising?
In 2013, California amended CalOPPA to include a very basic “do
not track” provision, which took effect on January 1, 2014. This provi-
sion requires websites to explain in privacy policies how a user may
request to not be “tracked” (through the use of cookies).32 In so doing,
CalOPPA effectively requires companies to explain how they collect
8–16
the user data that makes the provision of OBA possible, and to pro-
vide users with a disclosure of how to request that they not be tracked
in the future.
Q 8.10.1 How does an operator know whether California’s

laws apply to it?
For practical purposes, every operator of a national website would
be prudent to conduct the site’s operations on the assumption that
it is subject to CalOPPA. While the statute technically applies only to
sites that collect PII from “consumers residing in California,”33 given the
geographic reach of the Internet, it is likely that any national website or
mobile app will collect personal information from California residents,
unless it creates specific technological barriers to such collection.34
Electronic Communications Privacy Act
Q 8.11 Can consumers bring private suits against

companies who use online behavioral
advertising?
Plaintiffs have brought class-action complaints alleging that their
privacy rights have been violated through OBA. These complaints have
cited a variety of laws that protect privacy rights, including California
laws and federal statutes like the Electronic Communications Privacy
Act (ECPA), popularly known as “the Wiretap Act.” Plaintiffs com-
monly cite the ECPA as a basis for purported liability based on the use
of cookies for tracking purposes in OBA.
Q 8.11.1 How does the Electronic Communications Privacy

Act (ECPA) arguably apply to online behavioral
advertising?
The ECPA is broadly written and encompasses Internet communi-
cations.35 In general, ECPA prohibits intercepting the contents of wire,
oral, or electronic communications sent over wires, unless you are a
party to the communication or have been given permission by a party
to the communication to make the interception. Under the ECPA, only
one party needs to give this consent; therefore, with respect to OBA,
if a website owner (which is one party in the communication between
8–17
website and user) consents to the collection of data for OBA, this cre-
ates a complete bar to recovery under the civil damages provision of
the ECPA.
The “contents” of communications under the ECPA can generally
be thought of as information that discloses the substance or purpose
of the communication. Private plaintiffs have used the ECPA to bring
suits against website operators that provide OBA via third parties.
Although the plaintiffs bringing these claims have generally been
unsuccessful, advertisers may consider the cost of defending these
lawsuits when evaluating their current practices and deciding on
whether to adopt new ones.
Q 8.11.2 How can online behavioral advertising create

a liability under the Electronic Communications
Privacy Act (ECPA)?
The scope of the consent by a party to the communication creates
some danger of liability under the ECPA.36 For example, if a contract
between a website owner and a third party allows the third party to
collect a limited set of information and the third party collects addi-
tional information, then the third party may have violated the ECPA by
not obtaining consent from one of the parties to the communication
for the full scope of the collection. Timing of collection also matters.
For example, the operator of a free email service may be entitled to
use the content of those emails to facilitate behavioral advertising if
the operator obtains proper consent, but doing so prior to the deliv-
ery of those emails to the user has led to at least one multi-million
dollar settlement.37
Q 8.11.3 How can an operator reduce the likelihood of

an Electronic Communications Privacy Act (ECPA)
violation?
To prevent an ECPA violation, it is advisable to ensure that any
third parties with access to a website user’s data act strictly in com-
pliance with their contractual obligations, particularly with regard to
what information is collected. Third parties that assist in collection of
data for OBA purposes generally do so by adding code to a website;
the capabilities of this code should be clearly understood by the web-
site operator both initially and following any updates.
8–18
Computer Fraud and Abuse Act
Q 8.12 How does the Computer Fraud and Abuse

Act apply to online behavioral advertising?
Plaintiffs invoke the CFAA when they allege that they have incurred
damages or losses due to some alleged damage to the integrity or
accessibility of their data.
The CFAA was designed as an anti-hacking statute, and it applies to
(among other federal provisions) any unauthorized access or excess
access of an individual’s computer that causes at least $5,000 in
damages.38 Plaintiffs have brought civil claims for violations of the
CFAA on the grounds that storing information in a cookie file on the
user’s computer constitutes unauthorized access to that computer.
Thus far, plaintiffs have been unable to state a theory of damages that
reaches the $5,000 statutory threshold in the CFAA.
*

CASE STUDY: In re Google, Inc. Cookie Placement
Consumer Privacy Litigation
In the putative class-action case,39 the district court dismissed
a CFAA claim because the plaintiffs failed to identify any dam-
age to the functionality of their computers. Moreover, the court
refused to hold that the mere disclosure of personal informa-
tion equates to economic damages for purposes of reaching the
CFAA’s $5,000 threshold.
These aspects of the decision were upheld on appeal; the appel-
late court likewise ruled that the Wiretap Act (the ECPA) is not
violated when cookies are used for data collection with one-
party consent. The appellate court reinstated a state-law intrusion
claim based on allegations that Google had overridden users’
cookie-blocker settings while promulgating a policy that users
could set their browsers to refuse cookies.
8–19
Children’s Online Privacy Protection Act

Q 8.13 What online behavioral advertising (OBA)
concerns are raised for an operator of a
website directed to children?
One of the few federal statutes that directly regulates OBA is
COPPA, which applies to websites “directed to” children under thir-
teen years old.40 In general, COPPA requires websites that have reason
to know that a particular user is under the age of thirteen to obtain
parental consent before collecting information about that user. For a
full discussion of COPPA requirements, see chapter 3.
Q 8.13.1 What must a website operator do to ensure

compliance under the Children’s Online Privacy
Protection Act (COPPA) with respect to online
Because OBA generally depends on persistent identifiers con-
tained within cookies, and because persistent identifiers are a type of
PII under COPPA, the use of OBA on a website may violate COPPA if
the website is directed to children under thirteen years old. Operators
who believe their website is subject to COPPA should ensure that
advertising served on their website is content-based and does not
involve the use of persistent identifiers to serve behavioral advertis-
ing. For a full discussion of COPPA requirements, see chapter 3.
Video Privacy Protection Act

Q 8.14 Do any specific laws apply to tracking
of online user behavior regarding video
content?
Websites or apps that provide video content may be covered by
the federal Video Privacy Protection Act (VPPA) and its state analogs.41
The VPPA, passed in 1988 after Judge Robert Bork’s video rental his-
tory was published in a newspaper during his 1987 Supreme Court
confirmation hearings, was designed to protect the video rental his-
tory of a “consumer” (see Q 8.14.2) from being disclosed by a video
8–20
rental store. In addition to making it a crime to disclose a user’s video

rental history, the VPPA also contains a civil liability provision with a
$2,500 per violation liquidated damages provision.
The VPPA has been applied in the online context to companies
that provide online videos when a user’s video-watching history is dis-
closed with information about that user’s identity. In 2013, the VPPA
was amended to allow video-streaming services such as Netflix to
share users’ video-streaming histories on sites like Facebook if users
opt in online through robust renewable procedures.42 Additionally,
users can choose on a case-by-case basis whether to share certain
activity, and they can opt out at any time.43
Private litigation seeking to enforce the VPPA against online video
providers has, to date, been largely unsuccessful, though plaintiffs
continue to bring suits against companies they allege are making dis-
closures that violate the VPPA’s provisions.44
Q 8.14.1 How does a company know whether the Video

Privacy Protection Act (VPPA) applies to its
website?
The VPPA applies only to companies that provide “prerecorded
video cassette tapes or similar audio visual materials,” a definition
that reflects the technology in existence at the time that the VPPA
was enacted.45 The scope of this definition remains an open question.
Court decisions to date have indicated, or assured, that the VPPA
applies to companies that provide online videos.
In In re Nickelodeon Consumer Privacy Litigation, the Third Circuit,
affirming the district court’s grant of Google’s motion to dismiss the
consolidated class action complaint, held that Google did not violate
the VPPA because, when Google was acting in its capacity as an ad
server, it did not provide video content. It was irrelevant that Google
also owned YouTube, a separate line of business not implicated in the
facts of the case.
In the statute’s language, Google was not a video tape service pro-
vider, so it was not subject to VPPA.46 Third parties are not entirely
immune, however. For example, at the motion-to-dismiss stage, a pro-
ducer of smart TVs was held to be a video tape service provider even
8–21
though it did not itself tender the videos, because the premium paid
for a smart TV indicated that consumers were paying for added video
streaming functionality even if they also paid other companies for the
actual videos.47
The violation of VPPA arises from disclosing information about
users’ viewing history. If a company simply provides video content
online without collecting any data that identifies who watches each
video, it would be virtually impossible for it to violate the VPPA. This
was the case in In re Nickelodeon, where the plaintiffs alleged that
Viacom collected, and disclosed to Google, facially anonymous UUIDs,
a child’s gender and age, and information about the user’s computer.
The court held that none of that information, on its own, was PII under
the VPPA and therefore dismissed the VPPA claim—“without more,”
the information did not actually identify users, and it did not suffice to
speculate about how Google might find other means of identification.48
The VPPA becomes a relevant consideration once a company
begins collecting PII. Purely anonymous data may not be subject to the
VPPA, since, by its terms, the disclosure must “identify a person.” At
this writing, it remains an open question whether VPPA plaintiffs will
gain traction with the theory that they can state a claim by pleading
that facially anonymous data can be matched to other data in order
to make the statutorily required identification. The majority view at
this point is that such a claim fails. One court, in Yershov v. Gannett
Satellite Information Network, Inc., ruling in unusual circumstances
involving geolocation data, has held that anonymous identifiers may
be VPPA-actionable PII.49 In contrast, the Ninth Circuit has adopted the
Third Circuit’s approach in In re Nickelodeon by applying the “ordi-
nary person” test in such cases, under which personally identifiable
information is defined as information that readily permits an ordinary
person to identify a particular individual as having watched certain
videos.50
Q 8.14.2 Is anyone who watches a video online a

“consumer” protected under the Video Privacy
Protection Act (VPPA)?
VPPA only protects the information of a “consumer,” defined as
“any renter, purchaser, or subscriber” of video goods or services.51
A key issue is whether a user of a website is a “subscriber” despite
8–22
not having paid money to view the video in question—free viewing, of

course, often being the order of the day on the Internet. One federal
district court has held that viewing a free online video does not make
a user a “subscriber” under the VPPA. The district court required a
“deliberate and durable affiliation with the provider” for a person to
be considered a subscriber. The First Circuit took a broader view,
holding that the downloading of a mobile app was sufficient to create
a “subscriber” relationship for VPPA purposes.52 As with other issues
under VPPA, this is a rapidly evolving area of law, with a substantial
volume of ongoing litigation.
Q 8.14.3 When does an operator have “knowledge” it is

transmitting information under the Video Privacy
Protection Act (VPPA)?
The VPPA requires that in order to be actionable, a disclosure must
be done “knowingly.”53 Thus, if a website operator does not knowingly
disclose a link between a user and a video, it may have a defense
against a VPPA claim.
* CASE STUDY: In re Hulu Privacy Litigation
In In re Hulu Privacy Litigation,54 a federal district court ultimately

rejected a VPPA claim against video streaming provider Hulu,
holding that three discrete disclosures must be present in order to
establish a VPPA claim: (1) the identity of the viewer, (2) the iden-
tity of the specific video materials, and (3) a connection between
the two—the fact that the viewer requested the video materials.
Hulu provides online access to video content (television shows,
movies, and other prerecorded videos from networks and stu-
dios) through a video player that appears on a webpage called
a “watch-page.” When a Hulu watch-page was loaded with the
Facebook “Like” button, the user’s web browser would auto-
matically send to Facebook both the user’s numeric Facebook ID
(through the cookie) and the title of the video the user was watch-
ing (contained in the Hulu watch-page URL).
8–23
The district court granted Hulu’s motion for summary judgment,

finding no evidence that Hulu knew that Facebook might com-
bine a Facebook user’s identity with the watch-page address to
yield personally identifiable information under the VPPA.
Q 8.14.4 How can a website operator reduce the likelihood

of a Video Privacy Protection Act (VPPA) violation?
If a website displays videos and collects information about the
users who watch those videos, the VPPA prohibits disclosure of infor-
mation that “identifies” a user along with that user’s video watching
history. The key to the VPPA is the link between the identity of the
person and his or her viewing history: Under the majority view, disclo-
sure of one without the other does not create VPPA liability.
Companies that provide online video content and use a viewer’s
history to provide OBA through a third party should endeavor not to
share any information about the viewer with that third party beyond
the fact that an anonymous viewer has watched a video file. The best
practice would be to share only an anonymized UUID—that the third
party cannot link to any other information—and the viewing history
that corresponds to that UUID. Operators can also anonymize the titles
of the videos in question in URLs, which can make the argument more
difficult for plaintiffs that the video-watching history was disclosed.
*

CASE STUDY: Yershov v. Gannett Satellite Information
Network, Inc.
In Yershov v. Gannett Satellite Information Network, Inc.,55 plain-
tiffs alleged that the defendant violated the VPPA by offering a
mobile application with video content that, every time a user
viewed a video, automatically sent the title of the video, GPS
coordinates of the viewing device, and certain device identifiers
to a third-party analytics service, without obtaining user consent.56
8–24
Defendants moved to dismiss and, on the ground that the infor-

mation did not constitute personally identifiable information
(PII), the District Court granted the motion.57 On appeal, the First
Circuit reversed, saying that the plaintiffs sufficiently alleged that
the disclosed information, particularly GPS data and device identi-
fiers, in the hands of the third-party analytics company, was rea-
sonably and foreseeably likely to be linked to a certain person by
name, address, and phone number.58
Tracking and Collection of User Data

Cookies
Q 8.15 Can website users avoid having their

information tracked for online behavioral
advertising (OBA)?
In many cases, yes. A number of mechanisms exist for computer
users to circumvent cookies and other Internet activity trackers.
Many web browsers allow users to decline to accept all cookies, or to
accept cookies only if a user explicitly consents to each cookie being
placed. Third-party cookie and ad-blocking software such as AdBlock
performs a similar function.59 In addition, users can set most popu-
lar web browsers to automatically delete all cookies that were placed
during a browsing session when the browser is closed or after a given
time period. This software is less effective on mobile devices, how-
ever, and its implementation for HTML5 and Flash cookies is still in the
early stages of development.
Q 8.15.1 May a website operator circumvent software that

allows users to block cookies?
No, at least when the company has promised not to do so. In 2012,
Google was fined $22.5 million by the FTC for placing cookies on its
users’ machines through Google’s DoubleClick subsidiary to deliver
OBA—after Google had told its users that they would automatically be
8–25
opted-out from the placement of cookies on the users’ Apple’s Safari

browsers.60 The FTC made clear in its press release accompanying the
Google penalty that it would strictly monitor and enforce how com-
panies’ disclosures to users work in practice to guard against decep-
tive acts and practices. Google also faces private litigation arising
out of this incident, including litigation in the United Kingdom and a
U.S. class action in which an appellate court sustained a common-law
claim for intrusion upon seclusion.61
Data Brokers
Q 8.16 What considerations are raised where

an operator enables its online behavioral
advertising (OBA) by obtaining information
from a third party?
A number of companies, such as Acxiom, aggregate user data and
sell that information for use in OBA, among other purposes. These
companies, known as data brokers, offer a fully legal service. The FTC
is focused on this space, however, and in 2013 launched its “Reclaim
Your Name” initiative to help users better understand the amount
of information that data brokers compile and how they use it.62 The
DAA’s self-regulatory principles on data collection and OBA, discussed
below, were developed largely in response to the FTC’s guidance on
this issue.
Companies that purchase user information from data brokers are
well-advised to obtain contractual representations that the data bro-
ker obtained the information in compliance with all relevant federal
and state laws.
Collection of Information from Multiple Sources
Q 8.17 What considerations are raised where an

operator uses online behavioral advertising
(OBA) by collecting information from
multiple websites or devices?
In general, the principles governing the collection of data across mul-
tiple websites or multiple devices (like a computer and a smartphone
8–26
or tablet) are not significantly different from those applicable to col-

lection on a single website. Because of the additional volume of infor-
mation being collected, and the richer portrait of a user that can be
created with the additional data, companies should be particularly
careful about what data they collect across sites or devices and how
it is used.
The FTC recommends63 that companies that utilize cross-device
tracking or advertising adhere to four pillars of privacy: transpar-
ency, choice, security, and restraint. Companies should truthfully and
meaningfully disclose their tracking or advertising activities. If raw
or hashed email addresses are used to facilitate the cross-device fea-
tures, the FTC warns against referring to this data as “anonymous or
aggregate[d],” given the possibility that it could be linked back to par-
ticular individuals. The FTC recommends giving customers a choice
to opt out of cross-device tracking, but emphasizes that even more
important than presenting a choice to customers is being honest
about the effect of a customer’s choice and ensuring any choice by
the customer is respected. Because cross-device datasets are often
rich with information, the FTC notes that they may be particularly
appealing targets for hackers, and thus providing adequate cyber
security is even more important for companies that target customers
across devices than those engaged in less comprehensive advertising
and tracking. The FTC also recommends that companies refrain from
engaging in cross-device tracking on certain particularly sensitive
topics, including health, financial, and children’s information, absent
express consent from consumers.
The DAA also has released a set of principles specifically address-
ing collection of information over multiple sites. The DAA principles,
which are non-binding guidelines but which draw extensively from
the FTC’s statements about this issue, state that websites should be
clear about what information they are collecting from users; should
not use information to determine a user’s eligibility for insurance,
healthcare, employment, or credit, because that runs the risk of vio-
lating multiple federal and state laws; and should also carefully com-
ply with COPPA.64
8–27
Social Media Advertising

Q 8.18 What online behavioral advertising (OBA)
opportunities does social media afford?
Given the social nature of sites and apps like Facebook, Twitter,
and Pinterest and the amount of data on users that they maintain,
social media offers an opportunity to tailor ads directly to users based
on their interests, demographics, geography, and social connections.
Social media advertising is quickly becoming a mainstream tool for
companies. One such type of advertising is known as “social context
advertising.”
Social Context Advertising
Q 8.19 What is social context advertising?

Social context refers to a message paired with advertisements that
tells the user that someone he is connected to through social media
has performed an action in connection with a brand or product. For
example, Facebook gives users the option to show their enthusiasm
for certain brands on Facebook by taking an action such as “liking” the
brand page. When Jane Doe “likes” the Facebook page for Company X,
Jane Doe’s friends may then see advertisements paired with a mes-
sage saying “Jane Doe likes Company X.” Advertisers use the tools
on the social network to encourage users to interact with the same
brands that their connections like. The precise form of social context
and the ways in which it allows users to interact with content on the
website may vary depending on the social media platform.
Q 8.19.1 What are the relevant privacy considerations

when determining whether to use social context
advertising on a social media platform?
A primary privacy concern raised by social context advertise-
ments is an individual’s right of publicity. More than thirty states
have statutes or common-law rules that prohibit the use of a person’s
name or likeness for a commercial purpose without consent. Written
8–28
consent is required in thirteen of these states. Because social con-

text advertisements often show a user’s name, and sometimes picture,
with a commercial advertisement, this form of advertising raises
right-of-publicity concerns.
In addition, companies wishing to advertise on social platforms
should be aware of industry-specific sources of guidance that may
increase scrutiny on their online promotion efforts. For example, the
Federal Financial Institutions Examination Council (FFIEC), on behalf
of its members, released guidance on the applicability of consumer
protection and compliance laws, regulations, and policies to activities
conducted via social media by banks, savings associations, and credit
unions, as well as nonbank entities supervised by the Consumer
Financial Protection Bureau.65
Q 8.20 What steps should a company take when

advertising on social media to ensure its
advertising complies with the right-of-
publicity laws?
Companies that are considering placing social context advertising
should review the terms of use provided by social media platforms to
determine whether a user provides consent to the use of his or her
name and likeness in a commercial manner when opening an account
on the social media platform or at a subsequent point during the
user’s use of the service or product.
Q 8.20.1 What options does an advertiser have if a social

media platform’s terms of use do not provide clear
disclosure and obtain consent from users?
If the terms of use do not clearly obtain the consent to pair a user’s
name or likeness with commercial content, the advertiser’s options
are limited. Absent some change in the terms, the advertiser may seek
indemnification from the social media platform as a prerequisite for
advertising.
8–29
* CASE STUDY: Fraley v. Facebook
This class action brought against Facebook for right-of-publicity

violations highlighted that the terms of use of the social media
platform must clearly inform users that they are consenting to
the use of their name and likeness in a commercial manner.66
The plaintiffs in Fraley challenged the ads that Facebook identi-
fied as “Sponsored Stories,” which often paired users’ names and
Facebook profile photos with ads based on actions that they had
taken on Facebook. The district court largely denied Facebook’s
motion to dismiss—in particular, allowing the right of publicity
claim to go forward.67 In settling the matter, Facebook agreed
to revise its terms of use to more clearly obtain the consent of
users with the statement: “You give us permission to use your
name, profile picture, content, and information in connection
with commercial, sponsored, or related content (such as a brand
you like) served or enhanced by us.” The Fraley settlement and
resulting changes to Facebook’s terms are a source of guidance
for the level of disclosure required to obtain user consent.
Q 8.20.2 If a platform’s terms of use clearly obtain consent

for the commercial use of a user’s name or
likeness, are potential right-of-publicity concerns
eliminated?
It depends. A user who joins the social media platform after the
terms of use have been changed can be assumed to have provided
consent to the commercial use of his or her name or likeness if the
terms of use made disclosures to that effect. Pre-existing users who
have not affirmatively consented to the revised terms may still have
a potential right-of-publicity claim in states where written consent is
required. Advertisers choosing to promote their brands or products
after a change in the terms of use are well-advised to ensure that users
of the social media platform provided affirmative consent to the new
terms.
8–30
Digital Contact Tracing

Q 8.21 What is digital contact tracing?
Digital contact tracing is the use of technology to find and notify
everyone who has come into contact with an infected or contaminated
individual so that they can act to reduce the spread of an infectious
disease or contaminant. During the global coronavirus pandemic of
2020, national governments and private companies proposed or imple-
mented digital contact-tracing programs to mitigate the spread of the
novel coronavirus.68 These programs vary in scope, duration, and
data collection, retention, and usage. Digital contact tracing raises pri-
vacy issues, including the type of data collected, the identity of data
custodians, access to data and disclosure of data to third parties, data
use, and the nature, location, and duration of data storage.69
Q 8.21.1 How is contact-tracing data collected?

There are three primary approaches to collecting data in digital
contact tracing. The first method identifies an individual’s contacts
utilizing geolocation data gathered from GPS, triangulating cell tower
location data, and/or using Wi-Fi data. This data can be useful for
determining whether individuals are complying with quarantine or
self-isolation orders. For example, Google utilized users’ location data
to produce community mobility reports by country and region show-
ing changes in visits to six categories of places, including retail, gro-
cery and pharmacy, and parks.70 The use of geolocation data is con-
sidered the most privacy-invasive approach and is not widely used.
The second approach utilizes Bluetooth technology—an infected
individual’s phone communicates with other nearby phones via
Bluetooth. Individuals are then notified if they have come into “con-
tact” with nearby infected individuals. A “contact” might be recorded
based on the strength of the Bluetooth signal, which can show prox-
imity, and/or the duration of a nearby Bluetooth signal.71 While the
Bluetooth approach requires individual users to enable Bluetooth
on their cellular devices and therefore provides less coverage, this
approach preserves the greatest amount of individual privacy and is
by far the most popular approach.72 The third approach is a combina-
tion of both the first and second approaches.
8–31
In April 2020, Apple and Google announced they were collaborat-

ing to develop a “Privacy-Preserving Contact Tracing” application pro-
gramming interface (API) using the Bluetooth approach that would
allow public health agencies to notify iPhone and Android users
when they come into close proximity with other users who have self-
reported a positive COVID-19 test result.73 MIT developed a simi-
lar system based on Apple’s “Find My” feature, which continuously
broadcasts short random strings of numbers to communicate with
nearby Apple devices.74 The Apple-Google exposure notification API
was initially released to developers before being released publicly in
May 2020.75
Q 8.21.2 Where is contact-tracing data stored?

Among the implemented and proposed contact-tracing pro-
grams, data is stored either centrally by a single authority or in a
decentralized and local manner, usually on individual users’ phones.
Decentralized Privacy-Preserving Proximity Tracing (DP-3T) is an
open-source protocol for Bluetooth-based contact tracing in which
an individual’s phone’s contact logs are stored locally on the phone.
The Apple-Google API is largely based on DP-3T76 and uses rotating,
randomized contact IDs to keep individuals’ information from being
shared with Apple and Google.77
The competing Pan-European Privacy-Preserving Proximity
Tracing (PEPP-PT) protocol also utilizes Bluetooth technology, but
stores information on a central server. Most European countries have
adopted the Bluetooth model, but differ in their approach to data stor-
age.78 However, storing contact logs centrally appears to be disfavored
and has pushed some countries to abandon PEPP-PT for the DP-3T
model. German authorities, for example, were persuaded to switch
from PEPP-PT to a decentralized approach when Apple refused to
change iPhone settings for German users in order for German author-
ities to utilize the centralized PEPP-PT protocol.79 Similarly, the UK’s
National Health Service (NHS) initially planned to utilize a centralized
system,80 but may also reconsider its decision and adopt a decentral-
ized protocol.81
8–32
Q 8.22 What federal laws govern digital

contact tracing?
The collection of protected health information (PHI) as part of
a contact-tracing program may be subject to the Health Insurance
Portability and Accountability Act (HIPAA), which regulates the pri-
vacy of medical records. Most companies are not likely to be subject to
HIPAA requirements because HIPAA only applies to covered entities—
defined as a health plan, a healthcare clearinghouse, or a healthcare
provider82—and their business associates.83 HIPAA is also not likely to
cover the information shared on contact-tracing apps. Even so, com-
panies should take care to ensure they do not in fact fall within the
definition of a covered entity; for example, an employer that operates
a self-funded health plan is a health plan subject to HIPAA rules and
regulations.84
The Federal Trade Commission can bring enforcement actions for
privacy and security violations under section 5 of the FTC Act and
other federal laws. In 2013, the FTC issued guidance on the collection
of mobile data with a strong emphasis on transparency and recom-
mending that platforms or operating system providers “[p]rovide just-
in-time disclosures to consumers and obtain their affirmative express
consent before allowing apps to access sensitive content like geolo-
cation.”85 Additionally, the FTC’s Fair Information Practice Principles
(FIPPs) present benchmark standards for information security prac-
tices. The FIPPs include notice/awareness, choice/consent, access/
participation, integrity/security, and enforcement/redress.86 While
FIPPs remain only recommendations, they are regarded as best prac-
tice and should be applied in developing any contact-tracing program.
In the United States, the use of location data in contact-tracing
efforts by governmental authorities could possibly violate the Fourth
Amendment right against unreasonable searches and seizures; how-
ever, such concerns remain theoretical until the government imple-
ments a mandatory digital contact-tracing program.87
Q 8.22.1 What are the requirements of the CCPA for

contact-tracing data?
The CCPA provides California consumers with a right to know what
personal information is being collected by a company and how the
8–33
company uses that information; a right to request the deletion of per-

sonal information; and a right to opt out of the sale of personal infor-
mation.88 Accordingly, companies engaged in contact tracing must
notify consumers what personal information is being collected, how it
plans to use that information, and disclosure of personal information
to third parties. If a company intends to sell the information, the com-
pany must also provide consumers with a notice of their right to opt
out from such a sale.
Pending in California is the California Privacy Rights Act (CPRA), a
new initiative to appear on the November 2020 ballot that would cre-
ate an agency to enforce privacy protections. Importantly, the CPRA
defines “precise geolocation” information as sensitive information.
This definition would implicate additional privacy rights that would
make contact tracing more difficult.89
8–34
Advertising, Tracking, and Privacy
Notes to Chapter 8
1. See HTML5 Local Storage, W3Schools, www.w3schools.com/html/html5_

webstorage.asp (last visited May 15, 2017).
2. See IAB, Cookies on Mobile 101: Understanding the Limitations of Cookie-
Based Tracking for Mobile Advertising (Nov. 2013), www.iab.net/media/file/
CookiesOnMobile101Final.pdf.
3. See Yinzhi Cao, Song Li & Erik Wijmans, (Cross-)Browser Fingerprinting
via OS and Hardware Level Features (2017), http://yinzhicao.org/TrackingFree/
crossbrowsertracking_NDSS17.pdf; Robert Heaton, How Does Online Tracking
Actually Work?, Robert Heaton (Nov. 20, 2017), https://robertheaton.com/2017/
11/20/how-does-online-tracking-actually-work/.
4. For a more expansive list, see Scott R. Peppet, Regulating the Internet of
Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent,
93 Tex. L. Rev. 85 (2014), at 88:
[A] Fitbit bracelet or Nike+ FuelBand can track the steps you take in a
day, calories burned, and minutes asleep; a Basis sports watch will
track your heart rate; a Withings cuff will graph your blood pressure on
your mobile phone or tablet; an iBGStar iPhone add-on will monitor
your blood glucose levels; a Scanadu Scout will measure your tempera-
ture, heart rate, and hemoglobin levels; an Adidas miCoach Smart Ball
will track your soccer performance; a UVeBand or JUNE bracelet will
monitor your daily exposure to ultraviolet rays and notify your smart-
phone if you need to reapply sunscreen; a Helmet by LifeBEAM will
track your heart rate, blood flow, and oxygen saturation as you cycle;
a Mimo Baby Monitor “onesie” shirt will monitor your baby’s sleep
habits, temperature, and breathing patterns; a W/Me bracelet from
Phyode will track changes in your autonomic nervous system to detect
mental state (e.g., passive, excitable, pessimistic, anxious, balanced)
and ability to cope with stress; and a Melon or Muse headband can
measure brain activity to track your ability to focus. Other devices—
such as the popular Nest Thermostat; SmartThings’ home-automation
system; the Automatic Link driving and automobile monitor; GE’s new
line of connected ovens, refrigerators, and other appliances; and
Belkin’s WeMo home electricity and water-usage tracker—can in com-
bination measure your driving habits, kitchen-appliance use, home
electricity and water consumption, and even work productivity. (cita-
tions omitted)
5. See, e.g., What Is Retargeting?, AdRoll, www.adroll.com/getting-started/
retargeting (“How does retargeting work?”) (last visited May 15, 2017).
8–35
6. Michal Wlosik, What Is Behavioral Targeting and How Does It Work?,

Clearcode, https://clearcode.cc/blog/behavioral-targeting/ (last visited July 28,
2020).
7. Seth Cline, The Politics of Your Pandora Station, U.S. News & World Rep.
(Aug. 31, 2012), www.usnews.com/news/articles/2012/08/31/the-politics-of-your-
pandora-station-the-politics-of-your-pandora-station.
8. See, e.g., Ruiz v. Gap, Inc., 380 F. App’x 689 (9th Cir. 2010) (affirming grant
of summary judgment for defendant (Gap) in putative class action for damages
based on a data privacy breach in part because plaintiffs could not demonstrate
actual damages).
9. See generally Online Advertising and Marketing, Fed. Trade Comm’n [FTC],
www.ftc.gov/tips-advice/business-center/advertising-and-marketing/online-
advertising-and-marketing (last visited May 15, 2017).
10. Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
L. No. 104-191, 110 Stat. 1938 (1996); Stored Communications Act (SCA), 18 U.S.C.
§§ 2701–12; Fair Credit Reporting Act (FCRA), 15 U.S.C. § 1681. See, e.g., Holyoak v.
Google Inc., No. 15-15858 (9th Cir. 2017) (plaintiff class accused Google of violating
users’ privacy by revealing their Internet search terms to third-party websites, but
the parties settled before the class was certified, agreeing that Google would pay
$8.5 million to charities, including class counsels’ alma maters, and provide infor-
mation on its website disclosing how users search terms are shared).
11. 18 U.S.C. § 1030 et seq.
12. See California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof.
Code §§ 22575–79.
13. See IoT Cybersecurity Improvement Act of 2019, H.R. 1668, 116th Cong.
(2019), www.congress.gov/bill/116th-congress/house-bill/1668/text; National
Institute of Standards and Technology guidelines.
14. Section 5 of the FTC Act, 15 U.S.C. § 45.
15. FTC Policy Statement on Unfairness, Fed. Trade Comm’n (Dec. 17, 1980),
www.ftc.gov/public-statements/1980/12/ftc-policy-statement-unfairness.
16. Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid
Change: Recommendations for Businesses and Policymakers (2012), www.ftc.gov/
sites/default/files/documents/reports/federal-trade-commission-report-protect-
ing-consumer-privacy-era-rapid-change-recommendations/120326privacyreport.pdf.
17. See Edith Ramirez, Comm’r, Fed. Trade Comm’n, Remarks at Privacy by
Design Conference: Privacy by Design and the New Privacy Framework of the
U.S. Federal Trade Commission (June 13, 2012), www.ftc.gov/sites/default/files/
documents/public_statements/privacy-design-and-new-privacy-framework-u.s.federal-
trade-commission/120613privacydesign.pdf.
18. Turn Inc., Dkt. No. C-4612 (Fed. Trade Comm’n Apr. 6, 2017), www.ftc.gov/
system/files/documents/cases/152_3099_c4612_turn_decision_and_order.pdf.
19. Id.
20. Id.
21. Id.
8–36
22. Lenovo Reaches Proposed 8.3 Million Settlement Agreement, Fed. Trade
Comm’n (July 16, 2018).
23. Lenovo Settles FTC Charges it Harmed Consumers with Preinstalled Software
on its Laptops that Compromised Online Security, Fed. Trade Comm’n (Sept. 5, 2017),
https://www.ftc.gov/news-events/press-releases/2017/09/lenovo-settles-
ftc-charges-it-harmed-consumers-preinstalled.
24. Fed. Trade Comm’n, Self-Regulatory Principles for Online Behavioral
Advertising (2009), www.ftc.gov/sites/default/files/documents/reports/federal-
trade-commission-staff-report-self-regulatory-principles-online-behavioral-advertising/
p085400behavadreport.pdf.
25. In addition to the NAI and DAA frameworks discussed below, see, e.g.,
Privacy Resources, Direct Mktg. Ass’n [DMA], https://thedma.org/resources/privacy-
resources/ (last visited May 15, 2017); Self-Regulatory Principles for Online
Behavioral Advertising, Interactive Advert. Bureau [IAB] (Apr. 7, 2014), www.iab.
com/news/self-regulatory-program-for-online-behavioral-advertising.
26. See About the NAI, Network Advert. Initiative [NAI], www.network
advertising.org/about-nai/about-nai (last visited May 6, 2020).
27. See The NAI Code of Conduct, Network Advert. Initiative [NAI], www.
networkadvertising.org/code-enforcement/code (last visited May 15, 2017).
28. See About the Digital Advertising Alliance, Dig. Advert. All. [DAA], www.
aboutads.info/associations (last visited May 15, 2017).
29. See DAA Self-Regulatory Principles, Dig. Advert. All. [DAA], www.digital
advertisingalliance.org/principle (last visited May 15, 2017).
30. Compliance Warning: Interest-Based Video Ads Require Transparency,
Choice, Advert. Self-Regulatory Council (Dec. 11, 2017), https://www.bbb.org/
globalassets/local-bbbs/council-113/media/behaviorial-advertising/compliance-
warning-cw-05-2017-video-ads.pdf.
31. See https://clearcode.cc/blog/behavioral-targeting/.
32. See Calif. Do-Not-Track Law Will Have National Impact, Law360 (Dec. 12,
2013), www.law360.com/articles/494614/calif-do-not-track-law-will-have-national-
impact.
33. CalOPPA, Cal. Bus. & Prof. Code §§ 22575–79.
34. Fed. Trade Comm’n, Protecting Consumer Privacy in an Era of Rapid
Change: Recommendations for Businesses and Policymakers (Mar. 2012), www.ftc.
gov/sites/default/files/documents/reports/federal-trade-commission-report-
protecting-consumer-privacy-era-rapid-change-recommendations/120326
privacyreport.pdf; Fed. Trade Comm’n, Privacy Online: Fair Information Practices
in the Electronic Marketplace (May 2000), www.ftc.gov/sites/default/files/
documents/reports/privacy-online-fair-information-practices-electronic-market
place-federal-trade-commission-report/privacy2000text.pdf; CalOPPA, Cal. Bus. &
Prof. Code §§ 22575–79.
35. 18 U.S.C. § 2510 et seq.
8–37
36. See Thomas Gilbertsen, How ECPA Applies to Behavioral Advertising,

Law360 (Jan. 30, 2013), www.law360.com/articles/411216/how-ecpa-applies-to-
behavioral-advertising.
37. See Matera v. Google, Inc., No. 5:15-cv-04062 (N.D. Cal. July 21, 2017).
38. Id.
39. In re Google, Inc. Cookie Placement Consumer Privacy Litig., 988 F. Supp.
2d 434, 447–48 (D. Del. 2013), aff’d in part, vacated in part, remanded, 806 F.3d 125
(3d Cir. 2015), petition for cert. docketed, No. 15-1141 (Mar. 14, 2016).
40. CalOPPA, 15 U.S.C. §§ 6501–06.
41. 18 U.S.C. § 2710 et seq.
42. New Video Law Lets You Share Your Netflix Viewing on Facebook, CNN
Money (Jan. 10, 2013), http://money.cnn.com/2013/01/10/technology/ social/
netflix- vppa-facebook/.
43. Id.
44. Allison Grande, Hulu’s Win Won’t Halt Video Privacy Class Actions, Law360
(Apr. 1, 2015), www.law360.com/articles/638399/hulu-s-win-won-t-halt-video-privacy-
class-actions.
45. 18 U.S.C. § 2710(a)(4).
46. Nickelodeon, 827 F.3d at 281.
47. In re Vizio, Inc., Consumer Privacy Litig., Case No. 8:16-ml-02693-JLS-KES
(C.D. Cal. Mar. 2, 2017).
48. Nickelodeon, 827 F.3d at 283–89, at *9–13; see also In re Nickelodeon
Consumer Privacy Litig., 2015 WL 248334, at *3–4 (D.N.J. Jan. 20, 2015), appeal
docketed, No. 15-1441 (3d Cir. Feb. 23, 2015).
49. Yershov v. Gannett Satellite Info. Network, Inc., 2016 WL 1719825 (1st Cir.
Apr. 29, 2016).
50. Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (holding that per-
sonally identifiable information is information that readily permits an ordinary
person to identify a particular individual as having watched certain videos).
51. 18 U.S.C. § 2710(a)(1).
52. Yershov v. Gannett Satellite Info. Network, Inc., 2016 WL 1719825 (1st Cir.
Apr. 29, 2016).
53. 18 U.S.C. § 2710(b)(1).
54. In re Hulu Privacy Litig., 86 F. Supp. 3d 1090, 1095 (N.D. Cal. 2015).
55. Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir.
2016).
56. Id. at 484–85.
57. See id. at 484.
58. See id. at 486.
59. See, e.g., About AdBlock Plus, Adblock, https://adblockplus.org/ en/about
(last visited May 18, 2016).
60. Press Release, Fed. Trade Comm’n, Google Will Pay $22.5 Million to Settle
FTC Charges It Misrepresented Privacy Assurances to Users of Apple’s Safari
Internet Browser (Aug. 9, 2012).
8–38
61. See Nick Summers, Google Loses Bid to Block Safari Privacy Lawsuit in the
UK, Endgadget (Mar. 27, 2015), www.engadget.com/2015/03/27/google-safari-
court-appeal/; Google, Inc. Cookie Placement, 988 F. Supp. 2d 434.
62. Julie Brill, Comm’r, Fed. Trade Comm’n, Keynote Address at 23rd
Computers Freedom and Privacy Conference: Reclaim Your Name (June 26, 2013),
www.ftc.gov/sites/default/files/documents/public_statements/reclaim-your-name/
130626computersfreedom.pdf.
63. See Fed. Trade Comm’n, Cross-Device Tracking: An FTC Staff Report
(Jan. 2017), www.ftc.gov/system/files/documents/reports/cross-device-tracking-
federal-trade-commission-staff-report-january-2017/ftc_cross-device_tracking_
report_1-23-17.pdf.
64. See About the Self-Regulatory Principles for Multi-Site Data, Dig. Advert.
All. [DAA], www.aboutads.info/msdprinciples (last visited May 15, 2017).
65. See Fed. Deposit Ins. Corp. [FDIC], Fin. Inst. Letter FIL-56-2013, Social
Media: Consumer Compliance Risk Management Guidance (Dec. 11, 2013), www.
fdic.gov/news/news/financial/2013/fil13056.pdf.
66. Fraley v. Facebook, Inc., 830 F. Supp. 2d 785 (N.D. Cal. 2011).
67. Id. at 790.
68. Patrick Howell O’Neill, Tate Ryan Mosley & Bobbie Johnson, A Flood of
Coronavirus Apps Are Tracking Us. Now It’s Time to Keep Track of Them, MIT Tech.
Rev. (May 7, 2020), www.technologyreview.com/2020/05/07/1000961/launching-
mittr-covid-tracing-tracker/.
69. Jay Stanley & Jennifer Stisa Granick, The Limits of Location Tracking in an
Epidemic, ACLU (Apr. 8, 2020), www.aclu.org/report/aclu-white-paper-limits-
location-tracking-epidemic.
70. COVID-19 Community Mobility Reports, Google (last visited July 7, 2020),
www.google.com/covid19/mobility/; see also Kate Cox, Google Knows If Everyone
in Your County Is Actually Staying Home or Not, Ars Technica (Apr. 3, 2020, 1:58 PM),
https://arstechnica.com/tech-policy/2020/04/google-knows-if-ever yone-
in-your-county-is-actually-staying-home-or-not/.
71. Nigel Smart, What the DP-3T Initiative Means for Privacy, Unbound (Apr. 28,
2020), www.unboundtech.com/dp-3t-initiative-means-privacy/ (“The notion of
‘seen’ can be modified to deal with medical knowledge (e.g., the phone might only
record identifiers seen over a two minute period, or with a strong signal denoting
proximity).”).
72. Id.
73. Allison Grande, Apple, Google Unveil Joint Effort to Track COVID-19 Spread,
Law360 (Apr. 10, 2020, 9:40 PM), www.law360.com/articles/1262651/apple-google-
unveil-joint-effort-to-track-covid-19-spread.
74. Darrell Etherington, MIT Develops Privacy-Preserving COVID-19 Contact
Tracing Inspired by Apple’s ‘Find My’ Feature, TechCrunch (Apr. 9, 2020, 6:48 AM),
https://techcrunch.com/2020/04/09/mit-develops-privacy-preser ving-
covid-19-contact-tracing-inspired-by-apples-find-my-feature/.
8–39
75. Darrell Etherington, Apple and Google Release First Seed of COVID-19
Exposure Notification API for Contact Tracing App Developers, TechCrunch (Apr. 29,
2020, 11:00 AM), https://techcrunch.com/2020/04/29/apple-and-google-release-
first-seed-of-covid-19-exposure-notification-api-for-contact-tracing-app-developers/
?guccounter=1.
76. Darrell Etherington & Natasha Lomas, Apple and Google Update Joint
Coronavirus Tracing Tech to Improve User Privacy and Developer Flexibility,
TechCrunch (Apr. 24, 2020, 10:15 AM), https://techcrunch.com/2020/04/24/
apple-and-google-update-joint-coronavirus-tracing-tech-to-improve-user-privacy-
and-developer-flexibility/.
77. Anthony Ha, Daily Crunch: Apple and Google Begin Releasing Their
Exposure Notification API, TechCrunch (Apr. 30, 2020, 10:10 AM), https://
techcrunch.com/2020/04/30/daily-crunch-apple-and-google-begin-releasing-their-
exposure-notification-api/.
78. Douglas Busvine & Andreas Rinke, Germany Flips to Apple-Google
Approach on Smartphone Contact Tracing, Reuters (Apr. 26, 2020, 1:51 AM), www.
reuters.com/article/us-health-coronavirus-europe-tech/germany-flips-to-apple-
google-approach-on-smartphone-contact-tracing-idUSKCN22807J. Some Asian
countries have also adopted the Bluetooth model. See, e.g., Dean Koh, Singapore
Government Launches New App for Contact Tracing to Combat Spread of COVID-19,
MobiHealthNews (Mar. 20, 2020, 10:38 AM), www.mobihealthnews.com/news/
asia-pacific/singapore-government-launches-new-app-contact-tracing-combat-
spread-covid-19.
79. Busvine & Rinke, supra note 78.
80. Sara Morrison, The United Kingdom’s Contact Tracing App Could Be a
Preview of America’s Digital Tracing Future, Vox (May 6, 2020, 1:20 PM), www.vox.
com/recode/2020/5/6/21247955/united-kingdom-nhs-contact-tracing-app.
81. Natasha Lomas, UK Eyeing Switch to Apple-Google API for Coronavirus
Contact Tracing—Report, TechCrunch (May 7, 2020, 4:33 AM), https://techcrunch.
com/2020/05/07/uk-eyeing-switch-to-apple-google-api-for-coronavirus-
contacts-tracing-report/.
82. 45 C.F.R. § 160.103 (2020).
83. Id.
84. David Strauss, Wakaba Tessier, Megan Herr & Erica M. Ash, U.S. Privacy
Law Implications for Employers Considering Employee Contact-Tracing Apps, Byte
Back (Apr. 20, 2020), www.bytebacklaw.com/2020/04/u-s-privacy-law-implications-
for-employers-considering-employee-contact-tracing-apps/.
85. Mobile Privacy Disclosures: Building Trust Through Transparency, Fed.
Trade Comm’n, at ii (Feb. 2013), www.ftc.gov/reports/mobile-privacy-disclosures-
building-trust-through-transparency-federal-trade-commission; see also Scott Pink
& John Dermody, Where Will the Needle Land? COVID-19 Contact Tracing v. Protecting
Personal Privacy, Law.com (June 12, 2020, 7:00 AM), www.law.com/legaltech-
news/2020/06/12/where-will-the-needle-land-covid-19-contact-tracing-v-
protecting-personal-privacy/.
8–40
86. Privacy Online: A Report to Congress, Fed. Trade Comm’n (June 1998),
www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-
congress/priv-23a.pdf.
87. Patrick McKnight, Could Contact Tracing Technology Violate the Fourth
Amendment?, ABA (June 11, 2020), www.americanbar.org/groups/business_law/
publications/committee_newsletters/cyberspace/2020/202006/contact-tracing/.
88. Cal. Civ. Code §§ 1798.100–.115 (West). For more on the requirements of
the CCPA, see chapter 9.
89. Scott Pink & John Dermody, Where Will the Needle Land? COVID-19 Contact
Tracing v. Protecting Personal Privacy, Law.com (June 12, 2020, 7:00 AM), www.law.
com/legaltechnews/2020/06/12/where-will-the-needle-land-covid-19-contact-
tracing-v-protecting-personal-privacy/.
8–41

Advertising, Tracking and Privacy

Uploaded by

Copyright:

Available Formats

Advertising, Tracking and Privacy

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advertising, Tracking and Privacy

Uploaded by

Copyright:

Available Formats

@ Practising Law Institute

Digital advertising started out as a mirror of real-world adver-

﻿ Privacy Law Answer Book 2021

may also be looking to book rental cars. Because site content

Advertising, Tracking, and Privacy Q 8.2

Computer Fraud and Abuse Act.......................................8–19

Q 8.2 How is user activity online being captured?

Q 8.3 Privacy Law Answer Book 2021

Q 8.3 Can users still be identified and tracked if

Q 8.4 Can activity on different devices

Advertising, Tracking, and Privacy Q 8.6

Q 8.5 What are the differences between online

Online Behavioral Advertising

Q 8.6.1 Privacy Law Answer Book 2021

Privacy concerns arise when companies start monitoring, storing, and

Q 8.6.1 How does tracking work in online behavioral

Advertising, Tracking, and Privacy Q 8.6.3

a user’s activity to be tracked while on the device and uniquely identi-

Q 8.6.2 What information must an operator collect for

Q 8.6.3 Would an operator be liable after a data breach if

Q 8.7 Privacy Law Answer Book 2021

online behavioral advertising; as long as the information about browsing

Regulation, Enforcement, and Compliance

Q 8.7.1 What statutes govern online behavioral

Advertising, Tracking, and Privacy Q 8.7.2

Q 8.7.2 How does the FTC enforce its restrictions on online

Q 8.7.2 Privacy Law Answer Book 2021

The FTC issued a set of guidelines in March 201216 espousing prin-

* CASE STUDY: Turn Inc.

In 2017, the FTC announced its final settlement with a California-

Advertising, Tracking, and Privacy Q 8.8

Q 8.7.3 How does the FTC treat pre-installed software?

Best Practices and Industry Guidelines

Q 8.9 Privacy Law Answer Book 2021

an opportunity to control whether, and how, their personal informa-

Q 8.9 Are there any industry guidelines for online

Advertising, Tracking, and Privacy Q 8.9.1

choice that members should offer in their delivery of online adver-

Q 8.9.1 What should companies do to comply with the

Q 8.9.1 Privacy Law Answer Book 2021

The NAI Code defines PII as “data that is used, or intended to

Advertising, Tracking, and Privacy Q 8.9.3

retained “only as long as necessary to fulfill a legitimate business need,

Q 8.9.2 How does the Network Advertising Initiative (NAI)

Q 8.9.3 What should companies do to comply with the

Q 8.9.4 Privacy Law Answer Book 2021

Q 8.9.4 What should a website operator’s privacy policy

California Online Privacy Protection Act

Q 8.10 How does California’s “do not track” law

Advertising, Tracking, and Privacy Q 8.11.1

Q 8.10.1 How does an operator know whether California’s

Electronic Communications Privacy Act

Q 8.11 Can consumers bring private suits against

Q 8.11.1 How does the Electronic Communications Privacy

Q 8.11.2 Privacy Law Answer Book 2021

Q 8.11.2 How can online behavioral advertising create

Q 8.11.3 How can an operator reduce the likelihood of

Advertising, Tracking, and Privacy Q 8.12

Computer Fraud and Abuse Act

Q 8.12 How does the Computer Fraud and Abuse

Privacy Law Answer Book 2021